AWS Key Management Service
Developer Guide

Enabling and Disabling Keys

You can use the IAM section of the AWS Management Console to enable and disable customer master keys (CMKs). When you create a CMK, it is enabled by default. If you disable a CMK, it cannot be used to encrypt or decrypt data. Note that AWS-managed CMKs are permanently enabled for use by services that use AWS KMS. You cannot disable them.

You can also delete CMKs. For more information, see Deleting Customer Master Keys.

To enable or disable a CMK

  1. Open the Encryption Keys section of the Identity and Access Management (IAM) console at

  2. For Region, choose the appropriate AWS region. Do not use the region selector in the navigation bar (top right corner).

  3. Select the check box next to the alias of the CMK(s) that you want to enable or disable.


    You cannot disable AWS-managed CMKs, which are denoted by the orange AWS icon.

  4. To enable a CMK, choose Key actions, Enable. To disable a CMK, choose Key actions, Disable.